Snort mailing list archives

Limits of Snort TCP reconstruction

From: tom.barbette () ulg ac be
Date: Thu, 31 Aug 2017 16:37:32 +0200 (CEST)

Hi list,

I read a lot of documentation, but it is still not clear to me what are the limitations of the Snort TCP 
reconstruction. It seems that when creating a rule which match on TCP payload, it will match the payload across 
multiple packets. But what's the limit in term of number of packets here?

E.g. If I want to match on "<script>.*</script>" in HTTP payload, would Snort fail to match if ".*" is actually big 
enough?

If someone can link me to some more documentation, or help me understand the limits, that would be great.

Thanks,

Tom
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Limits of Snort TCP reconstruction tom . barbette (Aug 31)
- <Possible follow-ups>
- Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
  - Re: Limits of Snort TCP reconstruction tom . barbette (Aug 31)
    - Re: Limits of Snort TCP reconstruction Al Lewis (allewi) via Snort-users (Aug 31)
    - Re: Limits of Snort TCP reconstruction Geoff Serrao via Snort-users (Aug 31)
    - Re: Limits of Snort TCP reconstruction tom . barbette (Sep 01)
    - Re: Limits of Snort TCP reconstruction Russ via Snort-users (Sep 01)